How Threat Actors use Enterprise Applications in Microsoft 365 to Exfiltrate Data

Attackers are upping their efforts to breach Microsoft 365 accounts and exfiltrate sensitive data. You will have seen from our previous posts how attackers are using advanced MITM dark web services to trick users into entering their credentials, and even bypassing MFA. Protect yourself against Phishing Email Attacks – Utilize

We have noticed a huge increase in attackers gaining unauthorised access to Microsoft 365 accounts. Once breached they use third party applications such as PerfectData to download a full copy of the victims mailbox. Not only does a mailbox have sensitive information, but also data that allows them to plan and execute future attacks. This could include email addresses for other colleagues at their company, or suppliers and external contacts to phish attack for financial gain.

Attackers use various methods to trick users into entering credentials or approving MFA requests, examples in the above blog post.  Attackers use MFA bombing and Additional Persistence Techniques to bombard users with requests until they get frustrated and approve. Once attackers have breached an account, they often add additional phone numbers or devices to the MFA methods for future logins.

Steps to protect yourself

• Remember – “your daily driver” account should never have any level of administrator privilege for this reason. This could allow lateral movement allowing attacker to breach other accounts
• As a rule of thumb, if your not expecting the MFA request, decline it
• Train staff on understanding why security is important
• Provide staff with examples of what these attacks look like and how can be prevented
• Report any suspicious activity immediately

In this day and age, data is everything! Its almost a currency which is not only sold, but also can cause huge reputational damage and have fall out for years.

Just think of a scenario we see almost daily on the Utilize Service Desk…

•  an employees account is breached because they approve a non genuine MFA request
•  attacker logs in (end user unknowing) and they download a copy of the mailbox and do recognisance for weeks
•  this data is sold on dark web. Months and years later further attacks happen, your customers are receiving emails they believe are genuine and replying with sales orders. This damages your reputation. At this point you report the ICO, and investigation shows the mailbox has been breached for some time.

This is all a nightmare for a business, and is completely avoidable with a proper MFA solution and end user training. Utilize offer training and solutions to avoid this, but end users will always be the weakest link in the chain. That is why its imperative for staff to understand and appreciate the importance of security, as one simple approval of an MFA prompt can cause unthinkable damage to an organisation!

We are here to support you, if an account is breached Utilize have a highly detailed process to quickly secure the account. Unfortunately at this stage the damage can already be done, so this is why its so important to make sure users understand these types of attacks. You wouldn’t leave your keys in your front door would you, so why would you willingly approve an MFA prompt you aren’t expecting!?

Feel free to contact Utilize if you have any questions or want to learn more about how we can help secure your IT environment.